Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Delta Sues AI Chabot Provider Over 2017 Data Breach

August 22, 2019

The Wall Street Journal (sub.req.) reported on August 16 that Delta Air Lines Inc. is suing an artificial-intelligence company that powered a chatbot on Delta's website, accusing it of lax cybersecurity that caused a 2017 data breach. Companies rarely sue technology providers over data breaches because their contracts generally specify the level of third-party suppliers' liability and because the two firms typically end up settling out of court.

Delta's lawsuit, filed in the U.S. District Court for the Southern District of New York, alleges that chatbot provider [24]7.ai Inc. lacked basic cybersecurity safeguards while running the AI-powered service on Delta's website in 2017 and 2018. The suit also says [24]7 waited more than five months to inform the airline of the breach instead of telling it immediately and did so using LinkedIn instead of official channels-potentially violating the companies' contract. LinkedIn – really?

William Bose, [24]7's senior vice president and acting general counsel, said the chatbot company intends to defend itself vigorously. "This has been an ongoing issue between the companies and nothing new has arisen, except that Delta has chosen to litigate this matter," he said in an email through a spokesman. They declined to address specific allegations.

Delta and a lawyer representing the airline declined to comment.

The airline disclosed the incident last year and said credit-card details and other personal information from up to 825,000 customers were exposed.

Delta is seeking reimbursement from [24]7 for all costs related to the breach, totaling millions of dollars, according to the suit. The airline hasn't disclosed expenses from the incident in its financial filings.

Privately held [24]7, founded in 2000 and based in San Jose, Calif., uses artificial intelligence to create customer-assistance products such as chatbots, consumer analytics programs and digital advertising services, according to its website.

The bot on Delta's website allowed customers to get information about purchasing tickets, changing itineraries and other requests. Hackers accessed [24]7's systems and modified source code, letting them scrape Delta customers' personal data and payment-card details from the airline's website, according to the suit.

The airline accuses 24[7] of failing to implement basic security controls such as requiring multifactor authentication for employees accessing source code and forbidding staff members from using the same login credentials. Hackers modified the chatbot's source code using compromised credentials, then monitored activity on Delta's website and captured data that visitors entered there. The breach wouldn't have happened if [24]7 had implemented "even basic access restrictions," the lawsuit said.

Delta's filing of the lawsuit nearly two years after hackers accessed customer data suggests that negotiations with [24]7 collapsed, lawyers said.

Some contracts state that technology suppliers must implement strong cybersecurity measures and have unlimited liability for breaches, said Ieuan Jolly, co-chair of the privacy, security and data innovations practice at law firm Loeb & Loeb LLP. "When you have a large, sophisticated customer like Delta negotiating with a smaller vendor, the smaller vendor doesn't have much leverage to push back on these fairly stringent contractual security obligations," he said.

Of course, it is also true that companies seek higher limits on their technology providers' liability because of the European Union's 2018 General Data Protection Regulation and the California Consumer Privacy Act, which takes effect next year.

Delta alleges that [24] 7's Mr. Bose already knew about the breach when he signed a document in February 2018 stating that the technology company would comply with the GDPR and would immediately inform Delta about data breaches.

Well, that would likely spell trouble if true. Two days of blog posts suing third party providers says "something big is this way coming."

HT to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Delta Sues AI Chabot Provider Over 2017 Data Breach

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer